Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur...
-
date post
15-Jan-2016 -
Category
Documents
-
view
218 -
download
0
Transcript of Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur...
![Page 1: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/1.jpg)
Secure App Development on iOS and Android 1
Secure App Development on Mobile Platforms
Mohit MathurSenior Software Engineer, SymantecSeptember 10th, 2011
![Page 2: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/2.jpg)
Goal of the Session
Myths about Data Security on Smartphones1
How to Develop a Secure Application?2
![Page 3: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/3.jpg)
Agenda
3
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
![Page 4: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/4.jpg)
Agenda
4
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
![Page 5: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/5.jpg)
Popular Smartphone Platforms
![Page 6: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/6.jpg)
Agenda
6
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
![Page 7: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/7.jpg)
Data Storage Options Available• iOS Keychain:
– Storage area available on iOS devices.
– Gets preserved across app re-installation.
– Data lives in the keychain for eternity once saved.
• Android Internal Storage:
– Store private data on the device memory.
– Files saved to the internal storage are private to your application.
– When the user uninstalls the application, the associated files are removed.
![Page 8: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/8.jpg)
Data Storage Options Available• iOS Keychain:
– NSMutableDictionary *addQuery = [[NSMutableDictionary alloc] init];
– [addQuery setObject:data forKey:(NSData *)kSecValueData];– SecItemAdd((CFDictionaryRef)addQuery, NULL);
• Android Internal Storage:– File file = new File(filesDir, “myData");– DataOutputStream dos = new DataOutputStream
(new FileOutputStream(file));– dos.write(data); //byte[]
Add Data to the Keychain
Create Keychain
Create File
Add Data to the file
![Page 9: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/9.jpg)
Data Storage Options Available
![Page 10: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/10.jpg)
Agenda
10
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
![Page 11: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/11.jpg)
Myths about Data Security on Smartphones• Security features provided by iOS & Android:
– Passcode
– Hardware Encryption
– Encrypted Keychain
– “Just” Delete your Data
– Relying on User IDs and File Access
![Page 12: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/12.jpg)
Myths about Data Security on iOS• Passcode:
– Anyone with the right know-how can delete a file and your passcode goes away.
– All it takes is “ONE MINUTE” to do it.
Courtesy: Dark Myles Source:YouTube
![Page 13: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/13.jpg)
Myths about Data Security on iOS• Hardware Encryption:
– Russian security outfit ElcomSoft has have discovered a method that allows them to copy and decrypt the memory of iOS devices that have built-in hardware encryption.
– Using a special RAMDisk driver they could boot the iOS device in DFU (Device Firmware Upgrade) Mode.
– This exposes the data stored in the memory.– Various keys to decrypt the data are extracted
from the device by running special tools.– ElcomSoft maintains that it will restrict its
discovery only to law enforcement, forensic and intelligence organizations.
– But thousands of similar tools are already freely available on internet for anyone to use.
![Page 14: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/14.jpg)
Myths about Data Security on iOS• Encrypted Keychain Backup:
– There are simple tools available on the internet which void the password set to take encrypted keychain backup.
– Within no time hacker can access any file of your encrypted backup.
• Just “Delete” the Data:– People who are already familiar with OS X raw disks know how to
access deleted information, like email, images, voicemail and application data.
– The raw disk gives [hackers] access to the iPhone's entire file system, not just user data, including stuff that's not normally synchronized.
– Even if you delete data on any iOS device, its no actually deleted.– One should use Apple’s disk utility service to wipe an entire device
clean.
![Page 15: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/15.jpg)
Myths about Data Security on Android• Relying on User IDs and File Access:
– Filesystem is still accessible to hackers.
– App data can easily be cloned.
Given a thought anytime???
Courtesy: Mohit
![Page 16: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/16.jpg)
Myths about Data Security on Smartphones• Lets revisit security features provided by iOS & Android:
– Passcode
– Hardware Encryption
– Encrypted Keychain
– “Just” Delete your Data
– Relying on User IDs and File Access
• Just relying on platform security features doesn’t suffice the purpose.
![Page 17: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/17.jpg)
Agenda
17
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
![Page 18: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/18.jpg)
How to Really Safeguard your Data• What a typical Mobile app needs???
– Secure Local Device Storage.
– Secure Communication with Cloud.
– Share Data among Same Family of Apps.
![Page 19: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/19.jpg)
How to Really Safeguard your Data• Secure Data Storage:
– Use 3 levels of security: Encipher your Data with Stronger Encryption.
Tie Data to the Device.
Sign your app.
Protection from Hacker
Strong Protection from Hacker
Protection from Malicious App
![Page 20: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/20.jpg)
How to Really Safeguard your Data– Encrypt Data:
iOS - CCCrypt API of Security.h package
o Uses strong Encryption – AES + 256 bits key.
o Supports CBC.
![Page 21: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/21.jpg)
How to Really Safeguard your Data– Encrypt Data:
Android - Bouncy Castle Crypto APIs
o Uses strong Encryption – AES + 256 bits key.
o Supports CBC.Consumes the key, salt & iter to initialize generator
Generated the key and iv. Of the given size
Initializing the cipher engine; type – AES, padding – PKCS7Indicating it’s an encryption flow
Byte array that will hold the cipher text
Encrypting the plaintextFinalizing the cipher text
![Page 22: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/22.jpg)
How to Really Safeguard your Data– Tie Data to the Device:
Use Device Specific Unique Data as a part of your Encryption Key.
o iOS – MAC address or UDID
o Android – IMEI for GSM and the MEID or ESN for CDMA phones.
![Page 23: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/23.jpg)
How to Really Safeguard your Data– Sign your App:
iOS:
o Use Apple issued Signing Certs & Provisioning Profiles.
o In Xcode, under Project Edit Project Settings Build Code Signing Identity Select your Cert to sign you app file.
Android:
o Use Signing Certs issued by any CA (like Symantec).
o Symantec issues Signing Cert @ $499/year Subscription Charge. https://www.verisign.com/code-signing/sun-java/index.html?sl=productdetails)
o Use <signjar> ant task in build.xml to sign your apk file.
– Platform enforces data sand-boxing for your app.
– Malicious app cannot access your app data as its not signed by the same certificate.
![Page 24: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/24.jpg)
How to Really Safeguard your Data• Secure Communication with Cloud:
– Use HTTPS protocol. iOS – NSURLConnection + HTTPS Protocol
Android – javax.net.ssl.HttpsURLConnection
– Identify list of supported cipher suites and enable only strong ciphers. Example – TLS_RSA_WITH_AES_256_CBC_SHA
iOS – CFNetwork Framework.
Android – SSLEngine.h [getSupportedCipherSuites(), setEnabledCipherSuites()]
– Use MAC (Message Authentication Code) to identify that the request is coming from a legitimate client.
![Page 25: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/25.jpg)
How to Really Safeguard your Data• Share Data among Same Family of Apps:
– iOS: App ID = <Bundle Seed ID> . <Bundle Identifier>
App IDs should be added to Entitlement.plist file in Xcode.
Add kSecAttrAccessGroup attribute to you keychain
All the apps MUST be signed with the same certificate.
Must be Same for all the Apps of your
family
Same Same
Same
![Page 26: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/26.jpg)
How to Really Safeguard your Data• Share Data among Same Family of Apps:
– Android: Add “sharedUserId” attribute value in the AndroidManifest.xml
Sign all the apps with the same certificate.
![Page 27: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/27.jpg)
Agenda
27
Data Storage Options available on iOS and Android2
Myths about Data Security on Smartphones3
How to really Safeguard your Data?4
Conclusion5
Popular Smartphone Platforms - iOS & Android1
![Page 28: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/28.jpg)
Conclusion• Do not completely rely on security features provided by the platform.
• Enforce Stronger Security:
– Encipher your data with stronger encryption.
– Tie data to the device.
– App Signing.
– Eliminate weak SSL cipher suites for your platform.
– Securely share data among family of applications.
![Page 29: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/29.jpg)
VIP Access• VIP = Validation & ID Protection.• Provides OATH Compliant Second Factor
Authentication.• Protects your online accounts by
requiring a security code -- in addition to your user name and password -- for safe and secure account access.
• App available both for Consumer and Enterprise users.
• Supports around 800+ Mobile Devices across the globe.
• To get your own VIP Credential for FREE, log-on to the following URL from your mobile browser:
m.verisign.com• For more information, visit:
idprotect.verisign.com
![Page 30: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/30.jpg)
Q&A
![Page 31: Secure App Development on iOS and Android 1 Secure App Development on Mobile Platforms Mohit Mathur Senior Software Engineer, Symantec September 10 th,](https://reader036.fdocuments.in/reader036/viewer/2022062423/56649d5d5503460f94a3c3ae/html5/thumbnails/31.jpg)
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
31
Mohit [email protected]